网络空间安全之一个WH的超前沿全栈技术深入学习之路(10)——NMAP 高级使用技巧和漏洞扫描发现:就怕你学成黑客啦!
网络空间安全之一个WH的超前沿全栈技术深入学习之路(10)——NMAP 高级使用技巧和漏洞扫描发现:就怕你学成黑客啦!
盛透侧视攻城狮
发布于 2024-11-26 12:16:53
发布于 2024-11-26 12:16:53
代码可运行
运行总次数:0
代码可运行
1 NMAP 高级使用技巧
1.2 NMAP 语法及示例
语法:
nmap [Scan Type(s)] [Options]例 1:使用 nmap 扫描一台服务器
默认情况下,Nmap 会扫描 1000 个最有可能开放的 TCP 端口。
root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap www.huawei.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 21:58 CST
Nmap scan report for www.huawei.com (221.229.162.66)
Host is up (0.011s latency).
Other addresses for www.huawei.com (not scanned): 221.229.162.68 58.221.70.120 58.221.70.121 240e:978:1509::8d 240e:978:1231:0:2::45 240e:978:1231:0:2::46 240e:978:1509::8c
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
888/tcp open accessbuilder
1935/tcp open rtmp
3000/tcp open ppp
4443/tcp open pharos
5100/tcp open admd
8080/tcp open http-proxy
8088/tcp open radan-http
8180/tcp open unknown
8443/tcp open https-alt
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds
例 2: 扫描一台机器,查看它打开的端口及详细信息。
参数说明: -v 表示显示冗余信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -v www.baidu.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 21:57 CST
Initiating Ping Scan at 21:57
Scanning www.baidu.com (180.101.50.188) [4 ports]
Completed Ping Scan at 21:57, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:57
Completed Parallel DNS resolution of 1 host. at 21:57, 0.00s elapsed
Initiating SYN Stealth Scan at 21:57
Scanning www.baidu.com (180.101.50.188) [1000 ports]
Discovered open port 443/tcp on 180.101.50.188
Discovered open port 80/tcp on 180.101.50.188
Completed SYN Stealth Scan at 21:57, 6.79s elapsed (1000 total ports)
Nmap scan report for www.baidu.com (180.101.50.188)
Host is up (0.0024s latency).
Other addresses for www.baidu.com (not scanned): 180.101.50.242 240e:e9:6002:15a:0:ff:b05c:1278 240e:e9:6002:15c:0:ff:b015:146f
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.98 seconds
Raw packets sent: 2007 (88.264KB) | Rcvd: 5 (208B)
例 3:扫描一个范围: 端口 1-65535
root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -p 1-65535 192.168.1.63
Starting Nmap 5.21 ( http://nmap.org ) at 2024-11-22 22:03 CST
Nmap scan report for xuegod63.cn (192.168.1.63)
Host is up (0.00042s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
997/tcp open maitrd
5672/tcp open amqp
53095/tcp open unknown
MAC Address: 00:0C:29:48:80:95 (VMware)注:生产环境下,我们只需要开启正在提供服务的端口,其他端口都关闭。
关闭不需要开的服务有两种方法:
情景 1:
你认识这个服务,直接关服务
systemctl stop rpcbind情景 2:
不认识这个服务,查看哪个进程使用了这个端口并找出进程的路径,然后 kill 进程,删除文 件,接下来以 22 端口为例,操作思路如下:
lsof -i :22 #查看 22 端口正在被哪个进程使用
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1089 root 3u IPv4 21779 0t0 TCP *:ssh (LISTEN)通过 ps 命令查找对应的进程文件:
ps -axu | grep 1089
root 1089 0.0 0.1 105996 3744 ? Ss 10:52 0:00 /usr/sbin/sshd -D注:看到进程的文件的路径是/usr/sbin/sshd 。如果没有看到此命令的具体执行路径,说明此木马进程可以在 bash 终端下直接执行,通过 which 和 rpm -qf 来查看命令的来源,如下:
which vim
/usr/bin/vim解决:
kill -9 1781总结:例3这个思路主要用于找出黑客监听的后门端口和木马存放的路径。
例 4: 扫描一台机器:查看此服务器开放的端口号和操作系统类型。
─(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -sS -O www.huawei.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:09 CST
Nmap scan report for www.huawei.com (221.229.162.68)
Host is up (0.010s latency).
Other addresses for www.huawei.com (not scanned): 58.221.70.120 58.221.70.121 221.229.162.66 240e:978:1509::8c 240e:978:1509::8d 240e:978:1231:0:2::45 240e:978:1231:0:2::46
Not shown: 978 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
110/tcp closed pop3
113/tcp closed ident
143/tcp closed imap
256/tcp closed fw1-secureremote
443/tcp open https
444/tcp open snpp
587/tcp closed submission
888/tcp open accessbuilder
995/tcp closed pop3s
1025/tcp closed NFS-or-IIS
1935/tcp open rtmp
3000/tcp open ppp
4443/tcp open pharos
7443/tcp open oracleas-https
8000/tcp open http-alt
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8088/tcp open radan-http
8180/tcp open unknown
8888/tcp open sun-answerbook
9200/tcp open wap-wsp
Device type: WAP|general purpose
Running (JUST GUESSING): Actiontec embedded (86%), Linux 2.4.X (86%), Microsoft Windows XP|7|2012 (86%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (86%), DD-WRT v24-sp2 (Linux 2.4.37) (86%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.06 seconds
参数说明:
- -O: 显示出操作系统的类型。 每一种操作系统都有一个指纹。
- -sS:半开扫描(half-open)
- TCP 同步扫描(TCP SYN):因为不必全部打开一个 TCP 连接,所以这项技术通常称为半开扫描(half-open)。
- 你可以发出一个 TCP 同步包(SYN),然后等待回应。如果对方返回 SYN|ACK(响应)包就表示目标端口正在监听;
- 如果返回 RST 数据包,就表示目标端口没有监听程序;如果收到一个SYN|ACK 包,源主机就会马上发出一个 RST(复位)数据包断开和目标主机的连接,这实际上由我们的操作系统内核自动完成的。
- 当服务器端口开放时,半连接扫描过程如图 1 ,当服务器端口关闭时,半连接扫描过程如图 2
测试自己的电脑(物理机):
(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -sS -O 192.168.37.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:19 CST
Nmap scan report for 192.168.37.1
Host is up (0.00092s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (93%), Microsoft Windows XP SP3 (91%), VMware Player virtual NAT device (91%), Actiontec MI424WR-GEN3I WAP (89%), DD-WRT v24-sp2 (Linux 2.4.37) (89%), Linux 3.2 (87%), Linux 4.4 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds
例 5:扫描一个网段中所有机器是什么类型的操作系统。
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -sS -O 192.168.79.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:23 CST
Nmap scan report for 192.168.79.1
Host is up (0.00045s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:50:56:C0:00:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (87%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Nmap scan report for 192.168.79.2
Host is up (0.000094s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp filtered domain
MAC Address: 00:50:56:EE:62:AC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running: VMware Player
OS CPE: cpe:/a:vmware:player
OS details: VMware Player virtual NAT device
Network Distance: 1 hop
Nmap scan report for 192.168.79.254
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.79.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F1:1C:00 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Nmap scan report for 192.168.79.135
Host is up (0.000052s latency).
All 1000 scanned ports on 192.168.79.135 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 14.03 seconds
例 6: 查找一些有特点的 IP 地址中,开启 80 端口的服务器
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -v -p 80 192.168.1.62-67
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:24 CST
Initiating Ping Scan at 22:24
Scanning 6 hosts [4 ports/host]
Completed Ping Scan at 22:24, 3.03s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 22:24
Completed Parallel DNS resolution of 6 hosts. at 22:24, 0.29s elapsed
Initiating SYN Stealth Scan at 22:24
Scanning 6 hosts [1 port/host]
Completed SYN Stealth Scan at 22:24, 0.22s elapsed (6 total ports)
Nmap scan report for 192.168.1.62
Host is up (0.00033s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.63
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.64
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.65
Host is up (0.00037s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.66
Host is up (0.00036s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.67
Host is up (0.00034s latency).
PORT STATE SERVICE
80/tcp filtered http
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 3.68 seconds
Raw packets sent: 42 (1.624KB) | Rcvd: 6 (240B)
例 7:如何更隐藏的去扫描,频繁扫描会被屏蔽或者锁定 IP 地址。
加几个有意思的参数:
- --randomize_hosts # 随机扫描,对目标主机的顺序随机划分
- --scan-delay #延时扫描,单位秒,调整探针之间的延迟
(1).随机扫描
(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -v --randomize-hosts -p 80 192.168.1.62-69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:26 CST
Initiating Ping Scan at 22:26
Scanning 8 hosts [4 ports/host]
Completed Ping Scan at 22:26, 3.02s elapsed (8 total hosts)
Initiating Parallel DNS resolution of 8 hosts. at 22:26
Completed Parallel DNS resolution of 8 hosts. at 22:26, 4.00s elapsed
Initiating SYN Stealth Scan at 22:26
Scanning 8 hosts [1 port/host]
Completed SYN Stealth Scan at 22:26, 0.22s elapsed (8 total ports)
Nmap scan report for 192.168.1.65
Host is up (0.000052s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.67
Host is up (0.00011s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.69
Host is up (0.000041s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.66
Host is up (0.000060s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.68
Host is up (0.000087s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.63
Host is up (0.00026s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.64
Host is up (0.00014s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.62
Host is up (0.000071s latency).
PORT STATE SERVICE
80/tcp filtered http
Read data files from: /usr/bin/../share/nmap
Nmap done: 8 IP addresses (8 hosts up) scanned in 7.35 seconds
Raw packets sent: 58 (2.232KB) | Rcvd: 8 (320B)
(2)、随机扫描+延时扫描 ,默认单位秒
──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# nmap -v --randomize-hosts --scan-delay 3000ms -p 80 192.168.1.62-69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 22:28 CST
Initiating Ping Scan at 22:28
Scanning 8 hosts [4 ports/host]
Completed Ping Scan at 22:28, 16.02s elapsed (8 total hosts)
Initiating Parallel DNS resolution of 8 hosts. at 22:28
Completed Parallel DNS resolution of 8 hosts. at 22:28, 0.01s elapsed
Initiating SYN Stealth Scan at 22:28
Scanning 8 hosts [1 port/host]
Completed SYN Stealth Scan at 22:29, 9.01s elapsed (8 total ports)
Nmap scan report for 192.168.1.62
Host is up (0.00019s latency).
例 8:使用通配符指定 IP 地址
nmap -v --randomize-hosts --scan-delay 30 -p 80 1.*.2.3-8
#简言之,1.*.2.3-8 会扫描 1.0.2.3 到 1.255.2.8 之间的所有 IP 地址,共计扫描 6 * 256 = 1536 个地址,扫描每个 IP 地址的端口 80
1.3 图形界面 zenmap 的使用
参数解释:
nmap -T4 -A -v xuegod.cn- -A 完全扫描,对操作系统和软件版本号进行检测,并对目标进行 traceroute 路由探测,-O 参数仅识别目标操作系统,并不做软件版本检测和路由探测。
- -T4 指定扫描过程使用的时序(Timing),总有 6 个级别(0-5),级别越高,扫描速度越快,但也
- 容易被防火墙或 IDS 检测并屏蔽掉,在网络通讯状况良好的情况推荐使用 T4。
- -v 表示显示冗余(verbosity)信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态。
1.4 zenmap 脚本介绍
第一种:Intense scan
(nmap -T4 -A -v)
一般来说,Intense scan 可以满足一般扫描
-T4 加快执行速度
-A 操作系统及版本探测
-v 显示详细的输出第二种:Intense scan plus UDP
nmap -sS -sU -T4 -A -v
即 UDP 扫描
-sS TCP SYN 扫描
-sU UDP 扫描第三种:Intense scan,all TCP ports
nmap -p 1-65536 -T4 -A -v
扫描所有 TCP 端口,范围在 1-65535,试图扫描所有端口的开放情况,速度比较慢。
-p 指定端口扫描范围
第四种:Intense scan,no ping
nmap -T4 -A -v -Pn
非 ping 扫描
-Pn 非 ping 扫描第五种:Ping scan
nmap -sn
Ping 扫描
优点:速度快。
缺点:容易被防火墙屏蔽,导致无扫描结果
-sn ping 扫描第六种:Quick scan
常规扫描第七种:Quick scan plus
nmap -sV -T4 -O -F --version-light
快速扫描加强模式
-sV 探测端口及版本服务信息。
-O 开启 OS 检测
--version-light 设定侦测等级为 2。第八种:Quick traceroute
nmap -sn --traceroute
路由跟踪
-sn Ping 扫描,关闭端口扫描
-traceroute 显示本机到目标的路由跃点。第九种:Regular scan
常规扫描第十种:Slow comprehensive scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443,-PA3389,PU40125 -PY -g 53 --script all
慢速全面扫描。
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2024-11-22,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
